• AICPA

    AICPA standards for the American Institute of Certified Public Accountants (AICPA) who created the Service Organizational Controls standard. It is the largest organization of accountants in the United States. 

    Learn moreangle-right
  • APRA Prudential Standard CPS 234

    Prudential Standard CPS 234 is a regulatory framework established by the Australian Prudential Regulation Authority (APRA) to enhance cybersecurity in the financial services industry. 

    Learn moreangle-right
  • Accord de partenariat commercial (HIPAA)

    Un partenaire commercial HIPAA est une personne ou une organisation qui fournit certains services ou fonctions impliquant l'accès à des informations de santé protégées (PHI) pour le compte d'une entité couverte.

    Learn moreangle-right
  • Annex A Controls

    Annex A is part of the ISO 27001 standard document. It outlines all ISO 27001 controls and groups them into categories.

    Learn moreangle-right
  • Auditor

    An auditor is an accounting firm hired by a company to assess whether it meets a compliance standard such as SOC 2 or ISO 27001. Compliance standards require companies to implement a long list of security controls.

    Learn moreangle-right
  • Authentification multifacteur (MFA)

    L'authentification multifacteur (MFA) est un processus de connexion multi-étapes qui oblige les utilisateurs à entrer deux ou plusieurs informations.

    Learn moreangle-right
  • Authorization to Operate (ATO)

    Authorization to Operate (ATO) is the official decision given by a senior government official (the Authorizing Official) to authorize operation of an information system on behalf of a federal agency.

    Learn moreangle-right
  • Authorizing Official

    An Authorizing Official (AO) is a senior official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations, organizational assets, individuals, other organizations, and the nation.

    Learn moreangle-right
  • Bridge Letter

    A SOC 2 bridge letter is a document that provides information about the controls and systems of a service organization for a period of time that is not covered by a previously issued SOC 2 report.

    Learn moreangle-right
  • CCPA

    The California Consumer Privacy Act (CCPA) declares that companies must inform consumers about how their data is being used and empowers consumers to decide how or if their data is shared. 

    Learn moreangle-right
  • Cloud Compliance

    Cloud compliance refers to the set of rules and regulations that govern the use of cloud computing services.

    Learn moreangle-right
  • Compliance Risk Management

    Compliance risk management is an organization’s process for regularly identifying, analyzing, and mitigating risks. In the context of SOC 2 and ISO 27001, risk management refers to security and compliance risk management, meaning you’ll want to understand risks to sector and geography specific regulation and compliance standards.

    Learn moreangle-right
  • Compliance Software

    Compliance software is a software tool an organization can use to scan and monitor its vendors, systems, and controls to ensure they are compliant with certain security standards or regulations. Compliance software can be part of an organization's compliance risk management strategy to continuously track, monitor, and remediate any compliance risks that would jeopardize an organization's ability to stay compliant with relevant security standards and regulations.

    Learn moreangle-right
  • Continuous Integration (CI) and Continuous Delivery (CD)

    Continuous Integration (CI) and Continuous Delivery (CD) are practices in software engineering for improving the development process through automation and streamlined workflows.

    Learn moreangle-right
  • Control

    A control is a specific rule or safeguard used to improve a company’s security and compliance. Common types of safeguards include management, physical, legal, operational, and technical controls.

    Learn moreangle-right
  • Contrôle d'accès

    Le contrôle d'accès est un aspect essentiel de la gestion de la sécurité et est utilisé pour protéger les ressources, prévenir les accès non autorisés et garantir la conformité.

    Learn moreangle-right
  • Critères des services de confiance SOC 2

    Les critères des services de confiance de l'AICPA sont le cadre utilisé par les auditeurs pour déterminer les contrôles de sécurité et de conformité qu'ils testeront dans une entreprise.

    Learn moreangle-right
  • Cybersecurity

    Cybersecurity is the body of technologies, processes, and practices designed to protect data, information, programs, systems, networks, and devices from digital attacks from unauthorized users on the internet. 

    Learn moreangle-right
  • Cybersecurity Maturity Model Certification (CMMC)

    The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework developed by the United States Department of Defense (DoD).

    Learn moreangle-right
  • Data Integrity

    Data integrity refers to the accuracy, consistency, and reliability of data throughout its lifecycle, from creation to deletion.

    Learn moreangle-right
  • Data Loss Prevention (DLP)

    Data loss prevention (DLP) is a set of policies and technologies designed to prevent sensitive or confidential information from being lost, stolen, or exposed.

    Learn moreangle-right
  • Data Mining

    Data mining is the process of discovering patterns, trends, and insights from large datasets.

    Learn moreangle-right
  • Defense Industrial Base

    The Defense Industrial Base (DIB) refers to the worldwide industrial complex that enables research and development, design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.

    Learn moreangle-right
  • Defense Innovation Unit (DIU)

    The Defense Innovation Unit (DIU) is an organization within the United States Department of Defense (DoD) that works to strengthen national security by increasing the military's adoption of innovative commercial technology.

    Learn moreangle-right
  • Department of Defense Information Network (DoDIN)

    The Department of Defense Information Network (DoDIN) is a global set of information capabilities, processes, and personnel for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policymakers, and support personnel.

    Learn moreangle-right
  • DevSecOps

    DevSecOps integrates security practices within the DevOps process.

    Learn moreangle-right
  • Données du titulaire de la carte

    Le Payment Card Industry Security Standards Council (PCI SSC) a établi quelles données des titulaires de cartes doivent être protégées selon PCI DSS.

    Learn moreangle-right
  • Due Diligence Questionnaire (DDQ)

    A Due Diligence Questionnaire is a comprehensive questionnaire used to assess a company's business operations, financial performance, legal and regulatory compliance, and other key areas.

    Learn moreangle-right
  • Déclaration de Gestion (SOC 2)

    Une déclaration de gestion SOC 2 est une affirmation faite par la direction d'une organisation de services décrivant l'engagement de l'organisation envers la sécurité, la disponibilité, l'intégrité du traitement, la confidentialité et la confidentialité des données des clients.

    Learn moreangle-right
  • Entité couverte par la HIPAA

    Une entité couverte est un fournisseur de soins de santé, un plan de santé ou une chambre de compensation de soins de santé qui est soumis aux règles de confidentialité et de sécurité de la loi sur la portabilité et la responsabilité des assurances maladie (HIPAA).

    Learn moreangle-right
  • Federal Information Security Management Act (FISMA)

    The Federal Information Security Management Act is United States legislation that was enacted as part of the Electronic Government Act of 2002.

    Learn moreangle-right
  • Firewall

    A firewall is a network security device that monitors and controls incoming and outgoing network traffic.

    Learn moreangle-right
  • GDPR

    In May 2018, the European Union implemented the General Data Protection Regulation (GDPR) to create one legal framework for collecting and processing personal information from individuals who live inside the European Economic Area. 

    Learn moreangle-right
  • Governance, Risk, and Compliance (GRC)

    Governance, Risk, and Compliance (GRC) is a management framework that organizations use to ensure they are operating in a legal, ethical, and effective manner.

    Learn moreangle-right
  • HIPAA

    Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 in order to create national standards to protect sensitive patient health data.

    Learn moreangle-right
  • HIPAA Employee Training

    Healthcare organizations are legally required to have certain administrative safeguards, like employee training, in place to protect patient data against breaches and comply with HIPAA.

    Learn moreangle-right
  • HIPAA Enforcement Rule

    The HIPAA Enforcement Rule governs violation investigations and penalties.

    Learn moreangle-right
  • HIPAA Omnibus Rule

    The HIPAA Breach Notification Rule requires covered entities and their business associates to notify individuals, HHS, and, in some cases, the media when there is a breach of unsecured protected health information (PHI).

    Learn moreangle-right
  • HIPAA Privacy Rule

    The HIPAA Privacy Rule establishes national standards for protecting the privacy and security of protected health information.

    Learn moreangle-right
  • HIPAA Rules

    The Health Insurance Portability and Accountability Act (HIPAA) includes a set of rules to help healthcare organizations and their business associates protect the security and confidentiality of sensitive patient data. To become compliant, healthcare organizations must follow five HIPAA rules to safeguard this protected health information (PHI).

    Learn moreangle-right
  • HIPAA Safeguards

    The HIPAA Security Rule outlines three types of safeguards — administrative, physical, and technical — to properly protect PHI.

    Learn moreangle-right
  • HIPAA Security Rule

    The HIPAA Security Rule is a set of regulations issued by the U.S. Department of Health and Human Services (HHS) that establish national standards for protecting electronic personal health information (ePHI).

    Learn moreangle-right
  • HITECH

    The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was enacted under Title XIII of the American Recovery and Reinvestment Act (ARRA) of 2009.

    Learn moreangle-right
  • ISO 27001

    The ISO 27001 is a security and compliance standard created jointly by the International Organization for Standardization and the International Electrotechnical Commission.

    Learn moreangle-right
  • ISO 27001 Stage 1 Audit

    An ISO 27001 certification audit happens in multiple stages. For organizations pursuing certification for the first time, the audit process begins with a Stage 1 audit, also referred to as an ISMS design review. 

    Learn moreangle-right
  • ISO 27001 Stage 2 Audit

    An ISO 27001 Stage 2 audit is the second part of a two-stage audit process for ISO/IEC 27001 certification

    Learn moreangle-right
  • Information Security Management System (ISMS)

    The ISO 27001 standard evaluates an organization’s information security management system, or ISMS. 

    Learn moreangle-right
  • Information Security Policy

    An information security policy is a set of rules and guidelines that define how an organization manages and protects its information assets, including data, systems, and networks.

    Learn moreangle-right
  • Informations non classifiées contrôlées (CUI)

    Les informations non classifiées contrôlées (CUI) sont des informations nécessitant des mesures de protection ou de contrôle de la diffusion conformément aux lois, règlements et politiques gouvernementales applicables, mais qui ne sont pas classifiées.

    Learn moreangle-right
  • Infrastructure as a Service (IaaS)

    The Department of Defense Information Network (DoDIN) is a global set of information capabilities, processes, and personnel for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policymakers, and support personnel.

    Learn moreangle-right
  • Institut National des Normes et de la Technologie (NIST)

    L'Institut National des Normes et de la Technologie est une agence non réglementaire du Département du Commerce des États-Unis.

    Learn moreangle-right
  • Internal Audit

    An internal security audit is an evaluation of an organization's internal security controls, policies, and procedures to assess their effectiveness and identify areas for improvement.

    Learn moreangle-right
  • International Organization for Standardization (ISO)

    ISO stands for the International Organization for Standardization, which is a non-governmental organization that develops and publishes international standards for a wide range of industries and sectors.

    Learn moreangle-right
  • Intrusion Detection System (IDS)

    An intrusion detection system (IDS) is a network security technology designed to detect and respond to suspicious or malicious activity on a computer network.

    Learn moreangle-right
  • Intrusion Prevention System (IPS)

    An intrusion detection system (IDS) is a network security technology designed to detect and respond to suspicious or malicious activity on a computer network.

    Learn moreangle-right
  • Joint Interoperability Test Command (JITC)

    The Joint Interoperability Test Command (JITC) is part of the United States Department of Defense.

    Learn moreangle-right
  • Keylogging

    Keylogging is a technique used to capture and record keystrokes made on a keyboard.

    Learn moreangle-right
  • Logiciel malveillant

    Les logiciels malveillants, abrégés en malware, désignent tout logiciel ou programme spécifiquement conçu pour causer des dommages, des perturbations ou des interruptions aux systèmes informatiques, aux réseaux ou aux appareils mobiles.

    Learn moreangle-right
  • NIST CSF

    The NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) is a set of voluntary guidelines, standards, and best practices for managing cybersecurity risks in critical infrastructure organizations.

    Learn moreangle-right
  • Niveaux d'Impact

    Les niveaux d'impact sont utilisés dans certains cadres de sécurité, tels que ceux fournis par le Département de la Défense des États-Unis (DoD), pour catégoriser l'impact potentiel de la divulgation, de l'altération ou de la destruction non autorisées d'informations.

    Learn moreangle-right
  • On-Premises

    "On-premises" (or "On-prem") refers to the location and management of servers, resources, and IT infrastructure.

    Learn moreangle-right
  • PCI Attestation of Compliance (AoC)

    An Attestation of Compliance (AoC) is a document that confirms that an organization has undergone a Payment Card Industry Data Security Standard (PCI DSS) assessment and is compliant with the standard.

    Learn moreangle-right
  • PCI DSS

    Payment card industry Data Security Standard (PCI DSS) is a set of security standards intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.

    Learn moreangle-right
  • PCI DSS Approved Scanning Vendor (ASV)

    A PCI DSS Approved Scanning Vendor (ASV) is a company that has been certified by the Payment Card Industry Security Standards Council (PCI SSC) to conduct external vulnerability scans of merchants and service providers that handle payment card data.

    Learn moreangle-right
  • PCI Self-Assessment Questionnaire (SAQ)

    A PCI SAQ (Payment Card Industry Self-Assessment Questionnaire) is a tool used by merchants and service providers to assess their compliance with the PCI DSS.

    Learn moreangle-right
  • Partenaire Commercial (HIPAA)

    Un partenaire commercial HIPAA est une personne ou une organisation qui fournit certains services ou fonctions impliquant l'accès à des informations de santé protégées (PHI) pour le compte d'une entité couverte.

    Learn moreangle-right
  • Patch Management

    Patch management is the process of identifying, acquiring, testing, and applying software updates.

    Learn moreangle-right
  • Pen Test

    A penetration test (or “pen test”) is a simulated attack on an organization’s system and services, often conducted by a white hat or ethical hacker. The SOC 2 and ISO 27001 audits both require a penetration test. 

    Learn moreangle-right
  • Phishing

    Phishing is a type of social engineering attack in which an attacker sends fraudulent emails, text messages, or other electronic communication to individuals, attempting to trick them into revealing sensitive information

    Learn moreangle-right
  • Platform as a Service (PaaS)

    PaaS, or Platform-as-a-Service, is a cloud computing model that offers organizations a complete cloud platform—hardware, software, and infrastructure—for developing, running, and managing applications without building and maintaining those platforms on-premises.

    Learn moreangle-right
  • Policy

    A policy is a governing document describing what an organization does to ensure security and compliance. It outlines responsibilities and general procedures meant to implement and maintain specific security and compliance controls.

    Learn moreangle-right
  • Politique de Confidentialité

    Une politique de confidentialité est un outil important pour les organisations afin de communiquer avec leurs clients ou utilisateurs sur la manière dont leurs informations personnelles sont collectées, utilisées et protégées, et de garantir la conformité aux lois et règlements applicables en matière de protection de la vie privée.

    Learn moreangle-right
  • Protected Health Information (PHI)

    PHI is protected under the Health Insurance Portability and Availability Act (HIPAA), and includes any health data created, transmitted, or stored by a HIPAA-covered entity and its business associates.

    Learn moreangle-right
  • Qualified Security Assessor (QSA)

    A Qualified Security Assessor (QSA) is an individual or organization that has been certified by the Payment Card Industry Security Standards Council (PCI SSC) to assess an organization's compliance with the Payment Card Industry Data Security Standard (PCI DSS).

    Learn moreangle-right
  • Questionnaires de sécurité

    Un questionnaire de sécurité est une liste de questions qui évaluent les pratiques de sécurité et de confidentialité des données de votre organisation. Les organisations échangent souvent des questionnaires dans le cadre du processus de diligence raisonnable.

    Learn moreangle-right
  • Ransomware

    Ransomware is a type of malicious software that encrypts a victim's files or system, rendering them inaccessible, and then demands a ransom payment in exchange for restoring access. 

    Learn moreangle-right
  • Request for Information (RFI)

    An RFI, or Request for Information, is a standard business process for collecting written information about the capabilities of various suppliers.

    Learn moreangle-right
  • Request for Proposal (RFP)

    An RFP, or Request for Proposal, is a document that organizations use to solicit proposals from potential vendors or service providers for a specific product or service.

    Learn moreangle-right
  • Request for Quotation (RFQ)

    A Request for Quotation is a document and process used in procurement where an organization asks vendors or suppliers to provide a quote for the supply of specific products or services.

    Learn moreangle-right
  • Risk Assessment

    A risk assessment is a process that helps organizations identify and evaluate their cybersecurity risks, vulnerabilities, and threats.

    Learn moreangle-right
  • Risk Management

    Risk management is the process of identifying, assessing, and mitigating potential risks to an organization. 

    Learn moreangle-right
  • Règle de notification des violations de la HIPAA

    La règle de notification des violations de la HIPAA oblige les entités couvertes et leurs partenaires commerciaux à notifier les individus, le HHS et, dans certains cas, les médias lorsqu'il y a une violation des informations de santé protégées non sécurisées (PHI).

    Learn moreangle-right
  • SOC 1

    The Service Organization Control 1 Report (SOC 1) is an auditor report assessing controls for financial reporting. The SOC 1 targets companies providing services that could affect clients’ financial statements or internal controls over financial reporting. 

    Learn moreangle-right
  • SOC 2

    The Service Organization Control 2 Report (SOC 2) is an auditor report assessing controls for security and compliance. Any company offering a B2B service, along with any B2C company handling sensitive information, should think about getting a SOC 2 report completed. 

    Learn moreangle-right
  • SOC 2 Auditor

    SOC 2 auditors evaluate how effective your security program is and determine whether your internal controls meet the requirements of your chosen Trust Services Criteria (TSC). 

    Learn moreangle-right
  • SOC 2 Report

    A SOC 2 report summarizes the results of the compliance audit and the auditor’s findings.

    Learn moreangle-right
  • SOC 2 Type I

    A SOC 2 Type 1 report examines how well a service organization's system and controls perform over a period of time.

    Learn moreangle-right
  • SOC 2 Type II

    A SOC 2 Type 2 report examines how well a service organization's system and controls perform over a period of time.

    Learn moreangle-right
  • SOC 3

    The Service Organizational Control 3 Report (SOC 3) is a more concise and high level version of the SOC 2 meant to be released publicly as marketing material.

    Learn moreangle-right
  • SSAE 16

    The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a set of standards developed specifically for certified public accountants (CPAs) to evaluate an organization’s internal controls and how service companies report on these controls.

    Learn moreangle-right
  • SSAE 18

    The Statement on Standards for Attestation Engagements No. 18 (SSAE 18) is a new set of standards that have replaced SSAE 16 to help increase the usefulness and quality of a SOC 1 report.

    Learn moreangle-right
  • Social Engineering

    Social engineering refers to the use of psychological manipulation techniques to trick people into divulging sensitive information.

    Learn moreangle-right
  • Standardized Information Gathering (SIG) Questionnaire

    The SIG is a comprehensive set of questions used to assess the cybersecurity, IT, data security, and privacy risks and controls of third-party service providers and vendors.

    Learn moreangle-right
  • Statement of Applicability (ISO 27001)

    An ISO 27001 Statement of Applicability (SoA) is a document that identifies the controls that an organization has implemented to address the information security risks it has identified through a risk assessment.

    Learn moreangle-right
  • System Description (SOC 2)

    A SOC 2 System Description is a narrative description of a service organization's systems, policies, and procedures related to the Trust Services Criteria of security, availability, processing integrity, confidentiality, and privacy.

    Learn moreangle-right
  • Test

    A test refers to an auditor’s independent review of a security or compliance control. Auditors may assess a control’s design or implementation by requesting a copy of a relevant policy, conducting interviews, asking for related procedures, or even taking a sample of evidence, such as screenshots or tickets.

    Learn moreangle-right
  • Threat Assessment

    A threat assessment is a process of identifying, analyzing, and evaluating potential threats to an organization.

    Learn moreangle-right
  • Unauthorized Access

    Unauthorized access refers to the act of accessing or attempting to access a system, network, or resource without proper authorization or permission.

    Learn moreangle-right
  • Vallée de la Mort

    Dans le secteur militaire et de la défense, la vallée de la mort décrit le fossé entre un concept ou un prototype prometteur et la transition vers un programme officiel ou un usage opérationnel.

    Learn moreangle-right